I think it was Patrick Darden who posted this rule:
alert ip any any -> any any (msg:"Malware flowgo"; content:"flowgo";nocase;)
I would advise against any rule where the content=msg. If it ever triggers,
and you are logging to a remote syslog server or database, a "snowball"
effect will kick in and you will DOS the network and servers. The logging
information alone will keep triggering the rule logarithmically.
_____
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Jerry Shenk
Sent: Sunday, February 29, 2004 12:26 PM
To: 'Darden, Patrick S.'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Adware/Malware Rules List
I came here looking for exactly this. That's a start....problem is there
are SO MANY of these stupid things! I'd like to alert on Gator and all the
rest of 'em so we can keep our machines clean.
Here are a couple that I have set up...not many but maybe it will help get
things rolling:
alert tcp any any -> $HOME_NET 8080 (msg:"Gator updates"; content:"Host\:
updateserver.gator.com"; flags: PA;)
alert tcp any any -> $HOME_NET 8080 (msg:"Installshield updates";
content:"Host\: updates.installshield.com"; flags: PA;)
alert tcp any any -> $HOME_NET 8080 (msg:"Comet Systems update";
content:"Host\: update.cc.cometsystems.com"; flags: PA;)
Here's a link to a rather old posting (Jan 2002) related to this issue.
There's a pretty good sized list here but many of them have probably
changed:
http://groups.google.com/groups?q=snort+adware+rules
<http://groups.google.com/groups?q=snort+adware+rules&hl=en&lr=&ie=UTF-8&oe=
UTF-8&selm=BbK18.8737%24gf1.49194%40news-server.bigpond.net.au&rnum=6>
&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=BbK18.8737%24gf1.49194%40news-server.bigpo
nd.net.au&rnum=6
Here's another related site:
http://www.doxdesk.com/parasite/
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Darden,
Patrick S.
Sent: Friday, February 27, 2004 11:05 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Adware/Malware Rules List
I had a large number of requests for my ruleset for Ad/Malware, so I have
placed it on the web at:
https://www.armc.org/malware/
It ain't nothing special, but it works for us. If you have any additions,
please email me so we can
make this ruleset grow into something useful.
Thanks,
--Patrick Darden
--Internetworking Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040229/5df8baf6/attachment.html>